Gitiles
Code Review Sign In
gerrit.openbmc.org / mdmillerii / openbmc / e71e7778d61b38cde9e2bef1ab72320a45cc2b2d^! / .
commite71e7778d61b38cde9e2bef1ab72320a45cc2b2d[log] [tgz]
authorJoseph Reynolds <joseph-reynolds@charter.net>Wed Oct 11 12:17:03 2023 -0500
committerAdriana Kobylak <anoo@us.ibm.com>Tue Feb 20 13:23:42 2024 -0600
tree2f3711f79f460911f02dec1b2253989b7a3881f1
parent22f682c653ad51d5f5c1ac8a7acd73c44f8b291b [diff]
dropbear SSH server: update security options

This updates the algorithms offered by the BMC's dropbear SSH server
when making new connections.

The options.patch file is deleted because it is obsolete.  The
localoptions.h file is updated to OpenBMC project preferences.  For
background, see the Dropbear project default_options.h file.

Tested: Validate intended algorithms via command: ssh -vv
- Before:
debug2: host key algorithms: rsa-sha2-256,ssh-rsa
debug2: MACs ctos: hmac-sha1,hmac-sha2-256,hmac-sha2-512
- After:
debug2: host key algorithms: rsa-sha2-256
debug2: MACs ctos: hmac-sha2-256,hmac-sha2-512

Change-Id: I0eccb572c61ce3a800d2a189e9d84eb36ff592e7
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h
index 4a3ebcf..ea3b280 100644
--- a/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h
+++ b/meta-phosphor/recipes-core/dropbear/dropbear/localoptions.h

@@ -1,9 +1,11 @@
-// Disable CBC ciphers for modern security.
-#define DROPBEAR_ENABLE_CBC_MODE 0
+// Customizations.  See dropbear project default_options.h
 
 // Disable Chacha20-Poly1305 cipher.
 #define DROPBEAR_CHACHA20POLY1305 0
 
-#define DROPBEAR_SHA1_96_HMAC 0
-#define DROPBEAR_SHA2_256_HMAC 1
+#define DROPBEAR_SHA1_HMAC 0
 #define DROPBEAR_SHA2_512_HMAC 1
+
+#define DROPBEAR_RSA_SHA1 0
+
+#define DROPBEAR_DH_GROUP14_SHA1 0

diff --git a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch b/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
deleted file mode 100644
index 5212243..0000000
--- a/meta-phosphor/recipes-core/dropbear/dropbear/options.patch
+++ /dev/null

@@ -1,33 +0,0 @@
-diff --git a/options.h b/options.h
-index 0c51bb1..3df2d67 100644
---- a/options.h
-+++ b/options.h
-@@ -95,12 +95,12 @@ much traffic. */
- #define DROPBEAR_AES256
- /* Compiling in Blowfish will add ~6kB to runtime heap memory usage */
- /*#define DROPBEAR_BLOWFISH*/
--#define DROPBEAR_TWOFISH256
--#define DROPBEAR_TWOFISH128
-+/*#define DROPBEAR_TWOFISH256*/
-+/*#define DROPBEAR_TWOFISH128*/
- 
- /* Enable CBC mode for ciphers. This has security issues though
-  * is the most compatible with older SSH implementations */
--#define DROPBEAR_ENABLE_CBC_MODE
-+/*#define DROPBEAR_ENABLE_CBC_MODE*/
- 
- /* Enable "Counter Mode" for ciphers. This is more secure than normal
-  * CBC mode against certain attacks. It is recommended for security
-@@ -131,10 +131,10 @@ If you test it please contact the Dropbear author */
-  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
-  * which are not the standard form. */
- #define DROPBEAR_SHA1_HMAC
--#define DROPBEAR_SHA1_96_HMAC
-+/*#define DROPBEAR_SHA1_96_HMAC*/
- #define DROPBEAR_SHA2_256_HMAC
- #define DROPBEAR_SHA2_512_HMAC
--#define DROPBEAR_MD5_HMAC
-+/*#define DROPBEAR_MD5_HMAC*/
- 
- /* You can also disable integrity. Don't bother disabling this if you're
-  * still using a cipher, it's relatively cheap. If you disable this it's dead